Splunk Search

Tracking of particular field

N92
Path Finder

I have two fields from them I want to track particular one field with starting of this & ending of that value. For that, I have written as shown below. Is any correction needed?

| transaction abc xyz startswith=(xyz="something") endswith=(cs_uri_stem="anything") maxspan=1s

Here currently I have added maxspan=1s but I want to check immediate next event with anything value which may occur before 1s.
I want to focus on only immediate next event from abc.

Another question is: Here I am tracking only one value. But how can I track field value in both the field. share any eg.

Tags (1)
0 Karma

tiagofbmm
Influencer

Have you checked the

maxevents
Syntax: maxevents=<int>
Description: The maximum number of events in a transaction. If the value is negative this constraint is disabled.
Default: 1000

That with value 2 will get you the immediate next event with abc value.

0 Karma

N92
Path Finder

| transaction abc xyz startswith=(xyz="something") endswith=(xyz="anything") maxevents=2

If I am adding maxevents then it will match xyz's starting & ending value also?

After matching xyz value it will go further & check maxevents for abc field?

0 Karma

tiagofbmm
Influencer

Yes.

Please let me know if the answer was useful for you. If it was, accept it and upvote. If not, give us more input so we can help you with that

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...